{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-36892","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-05-30T15:25:07.065Z","datePublished":"2024-05-30T15:28:58.528Z","dateUpdated":"2025-05-04T09:11:32.091Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:11:32.091Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: avoid zeroing outside-object freepointer for single free\n\nCommit 284f17ac13fe (\"mm/slub: handle bulk and single object freeing\nseparately\") splits single and bulk object freeing in two functions\nslab_free() and slab_free_bulk() which leads slab_free() to call\nslab_free_hook() directly instead of slab_free_freelist_hook().\n\nIf `init_on_free` is set, slab_free_hook() zeroes the object.\nAfterward, if `slub_debug=F` and `CONFIG_SLAB_FREELIST_HARDENED` are\nset, the do_slab_free() slowpath executes freelist consistency\nchecks and try to decode a zeroed freepointer which leads to a\n\"Freepointer corrupt\" detection in check_object().\n\nDuring bulk free, slab_free_freelist_hook() isn't affected as it always\nsets it objects freepointer using set_freepointer() to maintain its\nreconstructed freelist after `init_on_free`.\n\nFor single free, object's freepointer thus needs to be avoided when\nstored outside the object if `init_on_free` is set. The freepointer left\nas is, check_object() may later detect an invalid pointer value due to\nobjects overflow.\n\nTo reproduce, set `slub_debug=FU init_on_free=1 log_level=7` on the\ncommand line of a kernel build with `CONFIG_SLAB_FREELIST_HARDENED=y`.\n\ndmesg sample log:\n[   10.708715] =============================================================================\n[   10.710323] BUG kmalloc-rnd-05-32 (Tainted: G    B           T ): Freepointer corrupt\n[   10.712695] -----------------------------------------------------------------------------\n[   10.712695]\n[   10.712695] Slab 0xffffd8bdc400d580 objects=32 used=4 fp=0xffff9d9a80356f80 flags=0x200000000000a00(workingset|slab|node=0|zone=2)\n[   10.716698] Object 0xffff9d9a80356600 @offset=1536 fp=0x7ee4f480ce0ecd7c\n[   10.716698]\n[   10.716698] Bytes b4 ffff9d9a803565f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n[   10.720703] Object   ffff9d9a80356600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n[   10.720703] Object   ffff9d9a80356610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n[   10.724696] Padding  ffff9d9a8035666c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n[   10.724696] Padding  ffff9d9a8035667c: 00 00 00 00                                      ....\n[   10.724696] FIX kmalloc-rnd-05-32: Object at 0xffff9d9a80356600 not freed"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["mm/slub.c"],"versions":[{"version":"284f17ac13fe34ae9eecbe57bb91553374d9b855","lessThan":"56900355485f6e82114b18c812edd57fd7970dcb","status":"affected","versionType":"git"},{"version":"284f17ac13fe34ae9eecbe57bb91553374d9b855","lessThan":"8f828aa48812ced28aa39cb3cfe55ef2444d03dd","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["mm/slub.c"],"versions":[{"version":"6.8","status":"affected"},{"version":"0","lessThan":"6.8","status":"unaffected","versionType":"semver"},{"version":"6.8.10","lessThanOrEqual":"6.8.*","status":"unaffected","versionType":"semver"},{"version":"6.9","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.8.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.9"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/56900355485f6e82114b18c812edd57fd7970dcb"},{"url":"https://git.kernel.org/stable/c/8f828aa48812ced28aa39cb3cfe55ef2444d03dd"}],"title":"mm/slub: avoid zeroing outside-object freepointer for single free","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-06-10T18:49:22.924151Z","id":"CVE-2024-36892","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-07-30T15:12:52.190Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T03:43:49.159Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/56900355485f6e82114b18c812edd57fd7970dcb","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/8f828aa48812ced28aa39cb3cfe55ef2444d03dd","tags":["x_transferred"]}]}]}}